Tuesday, July 16, 2013

Do not cache dynamic resources if you deal with sensitive information

Login in your website using chrome. Right click on the page body and select "inspect element", click on network tab and navigate to a dynamic page showing important/sensitive information. Now click on any other link in the website. Click on the "Clear" button in the bottom of chrome inspector.

Finally hit the back button. On the top of the list do you see that your page was pulled from a cache? If the page is not stating how long it took to render (time latency=0) and/or you see "from cache" for "size content" most likely your server is missing to send some important information in an HTTP header.

Click on the top resource which should be the main page pulled as a result of the back button click action. On the right pane you should be able to see the server response headers. Most likely one or more of the below important Cache-Control header statements is missing resulting in a vulnerable application. Some forensic work in any computer accessing such website could reveal sensitive information that could be used directly or indirectly in other exploits. The data from such website might be accessible for a future intruder.
Cache-Control: no-cache, no-store,private,max-age=0,must-revalidate

No comments: